Mailing List Archive: exim: dev

[Bug 823] exim does not perform smtp authentication when performing callouts

Index | Next | Previous | View Threaded

tom at duncanthrax

Mar 20, 2009, 8:45 AM

Post #1 of 4 (1021 views)
Permalink

[Bug 823] exim does not perform smtp authentication when performing callouts

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=823

Tom Kistner <tom [at] duncanthrax> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |tom [at] duncanthrax
Status|NEW |RESOLVED
Resolution| |FIXED

--- Comment #1 from Tom Kistner <tom [at] duncanthrax> 2009-03-20 15:45:51 ---
To solve the security problem when routing mail to dynamic addresses, I'd
recommend to use TLS/SSL certificates instead of SMTP AUTH. You probably use
TLS anyway. Check

http://www.exim.org/exim-html-current/doc/html/spec_html/ch30.html

for the hosts_require_tls and tls_verify_certificates options.

(In reply to comment #0)
> Also, I should be able to create a router that "steals" the routing in the case
> of verify to only check that the email address exists locally and not cause
> SMTP callouts.

Check the generic verify_* router options:

http://www.exim.org/exim-html-current/doc/html/spec_html/ch15.html

These can also be inverted by prefixing them with "no_"
("no_verify_recipient"). You can then define a fall-through router that just
accepts (and has verify_only set).

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

jaco at uls

Mar 20, 2009, 8:55 AM

Post #2 of 4 (966 views)
Permalink

[Bug 823] exim does not perform smtp authentication when performing callouts [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=823

--- Comment #2 from Jaco Kroon <jaco [at] uls> 2009-03-20 15:55:14 ---
(In reply to comment #1)
> To solve the security problem when routing mail to dynamic addresses, I'd
> recommend to use TLS/SSL certificates instead of SMTP AUTH. You probably use
> TLS anyway. Check

I'm not that worried about the security. The issue I'm trying to address is
the one where some other mail server comes up on my dangling IP and rejects my
mail, causing my own mail server to bounce my own mail instead of just caching
it. The idea is simple: if authentication fails entirely it's a temporary
error instead of a permanent one, causing a retry again at a later stage.

> > Also, I should be able to create a router that "steals" the routing in the case
> > of verify to only check that the email address exists locally and not cause
> > SMTP callouts.
>
> Check the generic verify_* router options:
>
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch15.html
>
> These can also be inverted by prefixing them with "no_"
> ("no_verify_recipient"). You can then define a fall-through router that just
> accepts (and has verify_only set).

Hmm, the no_verify_recipient might be a better option, I've done the
verify_only thing and just duplicated the option there making it go to
:blackhole: instead of the actual target. Clearly not the cleanest way, but it
serves the purpose.

I do disagree with the closing of the bug though. If a transport is set up to
require authentication then that authentication should be used in the case of
callout verifies as well. I'll leave this decision up to you though, other
options imho is workarounds and does not address the real problem.

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

tom at duncanthrax

Mar 20, 2009, 9:18 AM

Post #3 of 4 (993 views)
Permalink

[Bug 823] exim does not perform smtp authentication when performing callouts [In reply to]

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=823

Tom Kistner <tom [at] duncanthrax> changed:

What |Removed |Added
----------------------------------------------------------------------------
Severity|bug |wishlist
Status|RESOLVED |REOPENED
Resolution|FIXED |

--- Comment #3 from Tom Kistner <tom [at] duncanthrax> 2009-03-20 16:18:22 ---
(In reply to comment #2)

> I'm not that worried about the security. The issue I'm trying to address is
> the one where some other mail server comes up on my dangling IP and rejects my
> mail,

I'd be more worried if it accepts it :) In any case, when using
host_require_tls and tls_verify_certificates, failure to negotiate a TLS
session with a trusted cert will defer delivery. Which is what you want.

> I do disagree with the closing of the bug though. If a transport is set up to
> require authentication then that authentication should be used in the case of
> callout verifies as well. I'll leave this decision up to you though, other
> options imho is workarounds and does not address the real problem.

I agree it is a missing feature. I'll re-open it and flag it as "wishlist".

For your particular use case, using client authentication is the wrong way to
go. You wish to verify the identity of a remote host. That should be done with
TLS certs. A random host on a "dangling" dyndns record may just accept any
username and pass that you send, then swallow your mail.

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

tom at duncanthrax

Mar 20, 2009, 9:19 AM

Post #4 of 4 (984 views)
Permalink

[Bug 823] exim does not perform smtp authentication when performing callouts [In reply to]

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads